Series Introduction

Networks dominate today's computing landscape and
commercial technical protection is lagging behind attack technology. As
a result, protection program success depends more on prudent management
decisions than on the selection of technical safeguards. Managing
Network Security takes a management view of protection and seeks to
reconcile the need for security with the limitations of technology.

Security vs. Freedom

In information protection we are always balancing
one thing against another. The classic risk management formulation uses
money as the ultimate ejudicator because money can be used as a common
metric between most things. You can buy lots of things, and perhaps you
can even, sometimes, buy your freedom, at least in some sense. But in
security in general and in information protection in particular, we are
always balancing freedoms with protection, and we often forget about the
freedom side of the equation when we do our work.

In most businesses, the business own the assets
including the information assets associated with the business. With
reasonable policies in place, the company, as owner, is allowed to
examine anything stored in or transmitted between any of the computers
they own, at least for the purpose of properly maintaining their
function and, in most cases, for any legitimate business purpose they so
choose.

Recent events have caused a fervor that has moved
toward the creation of the Digital Millennium Copyright Act in the United
States, and statutes in the European Union and the United Kingdom that
are starting to match those in some of the countries we normally
associate with oppression. As we move toward the edge of war, still more
of these rights have been abandoned by a Congress anxious to find
evildoers. We now have 48 hour telecommunication and Internet taps at
the discretion of a prosecutor - no judge required - and more still to
come, no doubt.

Privacy and Power

I am not as much of a historian as many others, but
I know enough to know that the last time the United States went down
this road it led to the McCarthy era, to tapping of political enemies of
the executive branch, to the defamation of character and ruining of
careers of many thousands, and the list goes on and on. Freedom did not
ring for many black-listed Americans during that era, and it is now
being cut back for all Americans once again, all in the name of a war
that did not exist only a few short days ago. By the time you, my
readers, get this, it will have been a few months, and you can assess
for yourselves how things have changed since then.

This is of particular concern when we consider that
the current administration in the United States was, in some sense,
appointed by the Supreme Court and anointed by the first all republican
congress in memory. The US oil companies were gouging prices to
Americans in states that did not vote for Bush until one republican
senator decided to leave the party to allow the Senate to become a
Democratic majority (of 1), at which time the oil prices miraculously
balanced across states - they called it market forces.

This, to me, exemplifies how close the balance of
power can be, even in a nation of hundreds of millions of people. And
the abuses that we saw during the 1950s, 60s, and 70s that were asserted
to be due to the "Cold War" are being reinvoked with even more furor and
far tighter controls at the beginning of the "Terror War". As we give
up more of our freedoms for the supposed security we are to gain, we are
in fact gaining neither.

The Hypocritic Oath

I did not misspell it. I am, of course, talking
about the oath we will have to all take to hypocrisy. It is an oath
many in the information protection community have taken before, and one
that the greater community seems to be taking now. Here's how it goes:

1) We want to put in ever tighter and more
invasive controls, but we cannot get permission to do so.

2) An incident comes along that is sufficiently
scary that people want action right away.

3) We invoke their fear to implement the
controls we wanted to put in place before, even though none of those
controls would have stopped what happened anyway.

It is hypocrisy at its worst, and its most
terrifying. The US just increased all aspects of personally invasive
security measures at airports, but not one of them, including the one
that tells us we cannot bring even the smallest pocket knife on board a
plane, could have stopped the incidents that took place on 9/11/2001
(the so-called 911 attacks). And furthermore, the response time to
mitigate the threat of such attacks being repeated took about 20
minutes. By the time the last of the 4 flights in the air turned toward
Washington, DC, the passengers already knew what was going to happen and
they chose the earlier loss of their own lives by trying to take back
control of the jet. The next person who tries to pull a knife on a
plane for this purpose will probably never get much past standing up
before they are subdued by the other passengers. They will be lucky to
survive it.

The new measures are, of course, almost useless when
it comes to preventing a similar attempt. How hard is it to hide a hard
plastic knife in a hard plastic briefcase? It is simple to do and there
are even bags that already provide this. The X-Ray machines and the
detailed searches of these bags will not likely have any effect on
eliminating that threat - which has already been defeated by the acts of
passengers. All of this increased security is just another withering of
the privacy rights of people - which will eventually lead down the road
to a system like that of the Soviets before the breakup.

Self Defense in Cyber Space

While physical assault can be legally met with
adequate (but not excessive) force to provide for self defense, in the
cyber arena, responses have historically been legally limited to
defensive maneuvers only. The doctrine of self defense must eventually
come into play with at least the possibility of returning information
attacks with information counter-attacks. As denial of service attacks
become more rampant and more forceful, purely defensive responses become
less and less effective. The fear of collateral damage will soon be
outweighed by the harm to self by passive response, and a doctrine must
arise that allows the defenders to become aggressive.

The current phrasing is something like 'active
defense', but there are limits to what can be done with purely passive
response or response that does not somehow influence the attackers,
whether they be automated, manual, or combinations thereof. Recent
defenses have escalated somewhat by providing packet responses that slow
or stop the attacker from proceeding from place to place. One example
is a 'SYN ACK' response to a 'SYN' followed by ignoring subsequent
traffic. This causes many TCP stacks to stop sending more data. But
this is only the beginning.

Recent results in deception have demonstrated that
deceptions against automated attack mechanisms are relatively easy to
design and can be quite effective at slowing attacks or causing them to
behave very differently than they otherwise would. It is only a small
step from there to move toward responses to attacks that cause crashes
in attacking systems. The technology already exists to do this, but
there is some fear in the community around what will be legal in what
cases. But it seems clear that as the stakes rise, increased responses
will become acceptable, perhaps even encouraged.

Where will it end - or will it?

In the end, the ill-defined term 'terrorism' will be
used like all other 'ism's - as a way to divide people into groups and
thus conquer them. New laws making unauthorized computer hardware and
software illegal will allow those with money and power to eliminate all
competition, while at the same time they spend the money of the average
person to build new weapons and capabilities to use against those people.

It is the height of foolishness to think that those
who flew planes into the World Trade Center and the Pentagon failed to
understand this. Indeed, they almost certainly counted upon it. Indeed
this is a form of an unholy alliance.

Those with money have privately funded our 'elected'
representatives to take from the retirement funds of all US citizens
(i.e., the Social Security [un]lock[ed] box) and give to the wealthy
corporate interests (i.e., those who can afford to get 'certified'
systems and those in the military industrial complex). The 'tax cut and
spend' republicans have used the opportunity to explain away the
recession that they helped to bring about, while the democrats have bent
to their will in all but the most obvious ways.

But the battle has just begun...

I was taking one of my daughters home from a Dance
class today and listening to the radio with its stories of the effects
of the terrorist incidents. She indicated that, although she hated to
admit it, she was losing interest in this whole story. Indeed, the
saturation effects of the media have desensitized many of us to the
situation - and our politicians and media have declared that 'America
has changed forever'.

In my view, this is not a commentary on the past
events, but a battle cry for next step toward the end of our freedoms.
I explained to my daughter that the situation is not as stable and
boring as she might be led to believe. Indeed, from what I can tell,
the battle against freedom for citizens of the US, and as a side effect,
the rest of the 'Western' world, has just emerged and shown it true
form.

Freedom cannot be taken from you. The only way to
lose it is to freely give it up. And that is just what the so-called
free people of the world are doing.

"The tree of liberty must be refreshed from time to time with the
blood of patriots and tyrants". Thomas Jefferson

This is no less than a call to arms. It is a call
to arms, not only in the quest to hunt down those who would use terror
against non-combatants, but also for those who would protect freedom by
protecting the rights of the barely free peoples of the world. This is
the time to fight for your rights - of free speech and expression - of
privacy and the expectation thereof - and of other rights that I will
not list here individually.

At about noon today, a bomb threat cause Kennedy
airport in New York to be evacuated. Information warfare at its best,
and terrorism at its apex. The proper response, in my view, is a lot
simpler. If we yield to such threats by invoking evacuations, we only
harm ourselves and give in to the attackers. It is time to stand less
for safety than for freedom. The proper response to a bomb threat is
not to evacuate, but to rapidly seek out and arrest the person who made
the threat, and to publicly and rapidly sentence them to an appropriate
length of jail time. The moment the threat shows up, the perpetrator
has given up their rights to privacy and they may be traced. It should
not require a judge or anything else - it should be automatic. But
until that moment when the threshold is exceeded, their privacy should
be guaranteed.

Cry HAVOC indeed! And let slip the rights you
have been guaranteed.

About The Author:

Fred Cohen is researching information protection as a
Principal Member of Technical Staff at Sandia National Laboratories,
helping clients meet their information protection needs as the Managing
Director of Fred Cohen and Associates, and educating cyber defenders
over-the-Internet as a practitioner in residence in the University of
New Haven's Forensic Sciences Program. He can be reached by sending
email to fred at all.net or visiting http://all.net/